Security + 3 D
Social engineering
Phishing. Spear. phishing. Whaling. Vishing. Tailgating. Impersonation. Dumpster diving. Shoulder surfing. Hoax. Watering hole. attack Principles. (reasons for effectiveness)
Attackers use Voice over IP (VoIP) to pretend to be from a trusted organization and ask victims to verify personal information or send money.
Vishing
Traffic filters
are not countermeasures for social engineering because they do not focus on solving the human problem inherent in social engineering attacks.
Port scanning and war dialing
are technical attacks that seek to take advantage of vulnerabilities in systems or networks.
The individual is engaging in which type of social project and requesting sensitive information. The individual is engaging in which type of social engineering
Authority
Principles (reasons for effectiveness)
Authority. Intimidation. Consensus. Scarcity. Familiarity. Trust. Urgency.
What is the primary countermeasure to social engineering?
Awareness
Which of the following is a common social engineering attack?
Distributing hoax virus information emails
Tailgating or Piggybacking
Entering a secure building by following an authorized employee through a secure door without providing identification.
Dumpster diving is a low-tech way to gathering information that may be useful in gaining unauthorized access or as a starting point for more advanced attacks. How can a company reduce the risk associated with dumpster diving?
Establish and enforce a document destruction policy
Virus Hoa
False reports about non-existent viruses that often claim to do impossible things that cause recipients to take drastic action, like shutting down their network.
Passive Social Engineering
Gathering information or gaining access to secure areas by taking advantage of peoples' unintentional acti
Active Social Engineering
Gathering information or gaining access to secure areas through direct interaction with users
Heavy management oversigh
Heavy management oversight may provide some safeguards to social engineering, but it is less effective than awareness.
Eavesdropping
Listening to a conversation between employees discussing sensitive topics
Shoulder Surfin
Looking over the shoulder of someone working on a computer to view usernames, passwords, or account numbers
An attacker convinces personnel to grant access to sensitive information or protected systems by pretending to be someone who is authorized and/or requires that access
Masquerading
What is the weakest point in an organization's security infrastructure?
People
Which of the following attacks tricks victims into providing confidential information (such as identity information or login credentials) through emails or websites that impersonate an online identity that the victim trusts
Phishing
Attackers attempts to make the person believe that if they don't act quickly, they will miss out on an item, opportunity or experience. on
Scarcity
Which of the following are examples of social engineering? (Select two
Shoulder surfing. Dumpster diving
Attackers send emails with specific information about the victim (such as which online banks they use) that ask them to verify personal information or send money.
Spear phishing
Dumpster Diving
The process of looking in the trash for sensitive information that was not properly disposed of
You have just received a generic-looking email that is addressed as coming from the administrator of your company. The email says that, as part of a system upgrade, you are to a website and enter your user name and password at a new website so you can manage your email and spam using the new service. What should you do?
Verify that the email was sent by the administrator and that this new service is legitimate.
You've just received an email message explaining that a new and serious malicious code threat is ravaging across the internet. The message contains detailed information about the threat, it's source code, and the damage it can inflict. The message states that you can easily detect source code, and the damage it can inflict. The message states that you can easily detect whether or not you have already been a victim of this threat by the presence of three files in the \Windows\System32 folder. As a countermeasure, the message suggests that you delete these three files from your system. In response to this message, which action should you take first?
Verify the information on well-known malicious code threat management websites
Which of the following social engineering attacks use Voice over IP (VoIP) to gain sensitive information?
Vishing
An attacker pretending to be from a trusted organization sends emails to senior executives and high-profile personnel asking them to verify personal information or send money.
Whaling
using IPsec or closing unused ports
protect against automated attacks. Social engineering attacks gain access by exploiting human nature.
Masquerading
refers to convincing personnel to grant access to sensitive information or protected systems by pretending to be someone who is authorized and/or requires that access.
Passive social engineering
take advantage of the unintentional actions of others to gather information or gain access to a secure facility
Session hijacking
takes over a login session from a legitimate client, impersonating the user and taking advantage of their established communication link.
How can an organization help prevent social engineering attacks? (Select two.)
1.Publish and enforce clearly-written security policies. 2.Educate employees on the risks and countermeasures.
Social Engineering
A malicious attempt to fraudulently acquire sensitive information that is usually accomplished using impersonations
Vishing
A social engineering attack that exploits voice-over-IP telephone services to gain access to an individual's personal and financial information, including their government ID number, bank account numbers, or credit card numbers.
Email Hoax
A social engineering attack that preys on email recipients who are fearful and will believe most information if it is presented
Spear Phishing
A social engineering attack that targets specific individuals within a company to gain access to information that will allow the attacker to gain commercial advantage or commit fraud.
Phishing
A social engineering attack that usually involves sending emails that are purported to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers
watering hole
A social engineering attack where the victim is a group like an organization, an industry, or a region and where the attacker guesses or observes which websites the group uses and infects one or more of them with malware.
Whaling
A spear phishing attack targeted that targets senior executives and high-profile victims.
Adware
Adware is a type of malware that sends you advertisements that you do not request.
Scarcity
An active social engineering technique that attempts to make people believe that if they don't act quickly, they will miss out on an item, opportunity, or experience
Urgency
An active social engineering technique that attempts to make people believe they must act quickly to avoid imminent damage or suffering.
Authority
An active social engineering technique that involves the impersonation of legal, organizational, and social authorities.
Consensus
An active social engineering technique that leverages peoples' willingness to perform an act if others have already performed the act.
Familiarity
An active social engineering technique that leverages peoples' willingness to perform an act requested by someone they are familiar wit
Intimidation
An active social engineering technique that usually involves an attacker impersonating a manager or director to frighten lower-level employees to gain information
MAC Spoofing
is changing the source MAC address on frames sent by the attacker and can be used to hide the identity of the attacker's computer or impersonate another device on the network
man-in-the-middle man-in-the-middle attack
is where an attacker intercepts a data stream, slightly modifies it, then forwards that data stream to the destination
Social validation
entails an attacker using peer pressure to coerce someone else to bend rules or give information they shouldn't
Commitment social engineering entails convincing someone to buy into an overall idea, then demanding or
entails convincing someone to buy into an overall idea, then demanding or including further specifics that were not presented up front.
Which of the following is not not a form of social engineering?
impersonating a user by logging on with stolen credentials
A written security policy is
is a countermeasure against social engineering. However, without awareness training, it is useless